Protecting against network resources associated with undesirable activities

ABSTRACT

Various embodiments provide protection against web resources associated with one or more undesirable activities. In at least some embodiments, a method detects and responds to a user-initiated activity on a computing device. Responding can include, by way of example and not limitation, checking locally, on the computing device, whether a web resource that is associated with the user-initiated activity has been identified as being associated with a safe site. Furthermore, in at least some embodiments, the method checks remotely, away from the computing device, whether the web resource is identified as being at least possibly associated with one or more undesirable activities.

RELATED APPLICATIONS

This application is a continuation of and claims priority to U.S.application Ser. No. 11/272,473, filed on Nov. 10, 2005, and entitled“Dynamically protecting against web resources associated withundesirable activities,” the disclosure of which is hereby incorporatedby reference herein in its entirety.

BACKGROUND

Many threats have emerged regarding online communications. Often, thesethreats involve web resources that can be associated with undesirableactivities that can somehow impact a user and/or the user's computingdevice. Undesirable activities can come in many shapes and sizes. Forexample, phishing, where scammers or other bad actors attempt to gainillegal or unauthorized access to private information, is one example ofsuch a threat.

Online communication can allow these scammers to reach many peopleeasily through the use of such things as e-mail, instant messaging, orrogue web pages. Often, a user is misled into navigating to a fraudulentlink that the user believes is trustworthy. As a consequence, the usermay be subject to attempts to elicit private information from the user.For example, a user might type “bankoamerica.com” in an address box inan attempt to link to a Bank of America website. Once the user navigatesto what appears to be, but is not, a legitimate Bank of America website,the user might inadvertently divulge private information upon requestand thus be “phished”.

Another way in which a user can be “phished” is by responding to anemail that appears to the user to be legitimate. For example, the usermay be involved in an online transaction (such as an eBay auction) andreceive an email which requests that the user click a link and enterpersonal information in that regard.

Other examples of undesirable activities can include such things asunknowingly receiving spyware or malware.

SUMMARY

Various embodiments can protect a user against web resources associatedwith one or more undesirable activities. In at least some embodiments, amethod detects and responds to a user-initiated activity on a computingdevice. Responding can include, by way of example and not limitation,checking locally, on the computing device, whether a web resource thatis associated with the user-initiated activity has been identified asbeing associated with a safe site. After checking locally, someembodiments present the user with a notification that the web resourceis not associated with a safe site. The user is then given an option tocheck remotely or to continue with the user-initiated activity withoutchecking remotely. Furthermore, in at least some embodiments, if the webresource is not identified as being associated with a safe site, themethod checks remotely, away from the computing device, whether the webresource is identified as being at least possibly associated with one ormore undesirable activities.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an example operating environment in accordance withone or more embodiments.

FIG. 2 is a flow diagram that describes steps in a method in accordancewith one or more embodiments.

FIG. 3 continues from FIG. 2 and is a flow diagram that describes stepsin a method in accordance with one or more embodiments.

FIG. 4 is a flow diagram that describes steps in a method in accordancewith one or more embodiments.

FIG. 5 continues from FIG. 4 and is a flow diagram that describes stepsin a method in accordance with one or more embodiments.

FIG. 6 is a flow diagram that describes steps in a method in accordancewith one or more embodiments.

FIG. 7 continues from FIG. 6 and is a flow diagram that describes stepsin a method in accordance with one or more embodiments.

FIG. 8 illustrates a notification icon and list box presented to a userin accordance with one or more embodiments.

FIG. 9 illustrates a dialog box presented to a user in accordance withone or more embodiments.

FIG. 10 illustrates a dialog box presented to a user in accordance withone or more embodiments.

DETAILED DESCRIPTION

Various embodiments can protect a user against web resources associatedwith one or more undesirable activities. In at least some embodiments, amethod detects and responds to a user-initiated activity on a computingdevice. Responding can include, by way of example and not limitation,checking locally, on the computing device, whether a web resource thatis associated with the user-initiated activity has been identified asbeing associated with a safe site. After checking locally, someembodiments present the user with a notification that the web resourceis not associated with a safe site. The user is then given an option tocheck remotely or to continue with the user-initiated activity withoutchecking remotely. Furthermore, in at least some embodiments, if the webresource is not identified as being associated with a safe site, themethod checks remotely, away from the computing device, whether the webresource is identified as being at least possibly associated with one ormore undesirable activities.

Example Implementation

FIG. 1 illustrates an exemplary system, generally at 100, in whichvarious embodiments described below can be implemented in accordancewith one embodiment. These various embodiments can protect against webresources that are determined or suspected of being associated with oneor more undesirable activities.

There, system 100 includes a client 102 in the form of a computingdevice, a server 104 that is remote from the computing device, and anetwork 106 through which client 102 and server 104 can communicate.Client 102 can comprise any suitable computing device, such as a generalpurpose computer, handheld computer, and the like. In one embodiment,network 106 comprises the Internet.

In this example, client 102 embodies one or more software applications108 through which client 102 and server 104 can communicate. Softwareapplication(s) 108 typically reside in the form of computer-readableinstructions that reside on some type of computer-readable medium.Although any suitable application can be used, in the embodimentsdescribed in this document, an application in the form of a web browseris used. It is to be appreciated and understood, however, that othertypes of applications can be used without departing from the spirit andscope of the claimed subject matter. For example, applications such asword processing applications, email applications, spreadsheetapplications, and the like can utilize various techniques described inthis document.

Various techniques may be described herein in the general context ofsoftware or program modules. Generally, software includes routines,programs, objects, components, data structures, and so forth thatperform particular tasks or implement particular abstract data types. Animplementation of these modules and techniques may be stored on ortransmitted across some form of computer readable media. Computerreadable media can be any available medium or media that can be accessedby a computing device. By way of example, and not limitation, computerreadable media may comprise “computer-readable storage media”.

“Computer-readable storage media” include volatile and non-volatile,removable and non-removable media implemented in any method ortechnology for storage of information such as computer readableinstructions, data structures, program modules, or other data.Computer-readable storage media include, but are not limited to, RAM,ROM, EEPROM, flash memory or other memory technology, CD-ROM, digitalversatile disks (DVD) or other optical storage, magnetic cassettes,magnetic tape, magnetic disk storage or other magnetic storage devices,or any other medium which can be used to store the desired informationand which can be accessed by a computer.

FIGS. 2 and 3 are flow diagrams that describe a method in accordancewith one embodiment. The method can be implemented in connection withany suitable hardware, software, firmware or combination thereof. In oneembodiment, the method is implemented in software in the form ofcomputer-executable instructions, such as those defining an applicationthat executes on a client computing device.

Step 200 detects a user-initiated activity on a client computing device.Any suitable application can be used to detect the user-initiatedactivity. For example, in one embodiment, an application in the form ofa web browser is used to detect a user-initiated activity in the form ofa navigation associated with a web resource. In addition, any suitablemanner of initiating the navigation can be utilized. For example, insome embodiments, navigation can be initiated by a user clicking on aparticular link that the user finds on a web page. Alternately oradditionally, the navigation can be initiated by a user typing a URL inan appropriate address box that comprises part of a web page that theyare browsing.

Responsive to detecting the user-initiated activity, step 202 checkslocally, on the client computing device, to ascertain whether a webresource that is associated with the user-initiated activity isidentified as being associated with a safe site. This step of checkinglocally on the client computing device can occur contemporaneously withthe user-initiated activity. For example, conducting such a check canoccur contemporaneously with conducting a navigation associated with athird-party web site.

In some embodiments, the local device can maintain a list of sites thathave been determined as safe. For example, the microsoft.com® site mightappear on such a list and be considered a safe site. More generally, asafe site can be considered as one that is not associated withactivities that are considered to be undesirable. One type ofundesirable activity is phishing, although other undesirable activitiescan be the subject of the check without departing from the spirit andscope of the claimed subject matter. These other activities can include,by way of example and not limitation, activities associated withexposing the user to malware or spyware.

In conducting the local check, step 202 can be performed in any suitableway. By way of example and not limitation, a Uniform Resource Locator(URL) associated with a user-initiated navigation can be compared to alocal list of URLs which are known to be safe.

If a match occurs (the “yes” branch from step 204), the URL associatedwith the navigation is identified as being associated with a safe siteand step 206 allows the user to continue with the user-initiatedactivity.

If, on the other hand, the web resource is not identified as beingassociated with a safe site (i.e. the “no” branch from step 204), thenstep 208 checks remotely from the computing device to ascertain whetherthe web resource is identified as at least possibly being associatedwith one or more undesirable activities.

The step of checking remotely from the computing device can also occurcontemporaneously with the user-initiated activity. For example, duringthe remote check, a user-initiated navigation to a third party site canbe allowed to continue to provide a smoothly-perceived user experience.

The remote check can be performed in any suitable way. While FIGS. 2 and3 illustrate this step as being performed remotely from the clientcomputing device, this is not to be construed as meaning that one ormore portions of this step, as described below, cannot be performed onthe local client computing device.

As an example, consider the following. In at least some embodiments, oneor more remote servers can be provided with information associated witha particular web resource, such as a link or web site. This informationcan come from a third party service that is designed to look for andkeep track of sites that are or become affiliated with undesirableactivities such as phishing and the like. In some instances, thisinformation might be utilized to develop what is referred to asreputation information which can then be used as part of a score-basedsystem to rank the web resource, as described below. More specifically,the reputation information can be provided to the local computing devicewhich can then compute a local score associated with the web resource.The reputation information and the local score can then be processed toderive a reputation score that is associated with the web resource.Utilizing one or more of these scores, the web resource can be ranked incategories such as: a web resource known to be associated with one ormore undesirable activities, a web resource suspected of beingassociated with one or more undesirable activities, or a web resourcethat is not known or suspected of being associated with one or moreundesirable activities.

Step 210 determines whether the web resource is identified as at leastpossibly being associated with one or more undesirable activities. Thiscan be accomplished in any suitable way. For example, here this can beaccomplished by utilizing the web resource's derived reputation score,as noted above. Furthermore, this step can be performed completelyremotely from the client computing device.

In the event that the web resource is identified as at least possiblybeing associated with one or more undesirable activities (i.e. the “yes”branch from step 210), step 212 provides a notification to this effectand step 214 (FIG. 3) notifies the user of this information. This can beperformed in any suitable way. For example, the user might only bepresented with an alert and/or a dialog box when the web resource hasbeen identified as being suspected or actually being associated withundesirable activities. For example, in a score-based system, if the webresource is ranked in an appropriate category that suggests anundesirable association, then the user might be notified.

If the web resource is not identified as being associated withundesirable activities (i.e. the “no” branch from step 210), then asimilar notification can be provided to the user at step 212.

Step 216 gives or provides the user with an option to continue theuser-initiated activity. Typically this step is performed in the eventthat the web resource is identified as being associated with anundesirable activity, although it is illustrated slightly differentlyhere.

Protecting Against Phishing Activities

As noted above, in at least some embodiments, techniques discussedherein can be implemented in the context of policing against phishingactivities. By detecting a user-initiated activity and checking toascertain whether an associated web resource is associated withphishing, the user can be protected from attempts by scammers or otherbad actors to gain illegal or unauthorized access to privateinformation.

As an example, consider FIGS. 4 and 5, which illustrate a method, inaccordance with one embodiment, of protecting against phishingactivities. The method can be implemented in connection with anysuitable hardware, software, firmware or combination thereof. In oneembodiment, the method is implemented in software in the form ofcomputer-executable instructions, such as those defining an applicationthat executes on a client computing device.

Step 400 detects a user-initiated activity on a client computing device.Any suitable application can be used to detect the user initiatedactivity. For example, in one embodiment, an application in the form ofa web browser is used to detect a user-initiated activity in the form ofan attempted navigation associated with a web resource.

Responsive to detecting the user-initiated activity, step 402 checkslocally on the client computing device to determine whether a webresource that is associated with the user-initiated activity isidentified as being associated with a safe site.

This step of checking, locally on the client computing device, can occurcontemporaneously with the user-initiated activity. A safe site can beany site that is not associated with phishing activities. The localcheck that is performed can be performed in the same or similar manneras described above.

Step 404 determines whether the web resource that is associated with theuser-initiated activity is identified as being associated with a safesite. If it is, then step 406 allows the user to continue with theuser-initiated activity.

If, on the other hand, the web resource is not identified as beingassociated with a safe site, then step 408 checks remotely from thecomputing device, whether the web resource is identified as at leastpossibly being associated with a phishing activity. The remote checkthat is performed can be performed in the same or similar manner asdescribed above.

Step 410 determines whether the web resource is identified as at leastpossibly being associated with a phishing activity. This can beaccomplished by utilizing the web resource's derived reputation score,as noted above.

Step 412 provides a notification whether the web resource is identifiedas at least being associated with a phishing activity and step 414 (FIG.5) notifies the user of this information. This can be performed in anysuitable way. For example, the user might only be presented with analert and/or dialog box when the web resource is ranked in one or moreof the categories discussed above. Alternately, the user might always bepresented with an alert and/or dialog box.

Step 416 gives or provides the user with an option to continue theuser-initiated activity. Typically this step is performed in the eventthat the web resource is identified as being associated with a phishingactivity, although it is illustrated slightly differently here.

One example of how steps 412-414 can be implemented, including the userinterfaces that can be employed, is illustrated and discussed below inregards to FIGS. 9-10.

Providing a User with an Option to Check a Web Resource

As described above, in order to determine whether a web resource isassociated with an undesirable activity, checking occurs remotely fromthe user's computing device. Doing so, however, can cause privacyconcerns for some users. For example, if a user wants to navigate to acertain webpage, the URL of the web page can be sent to a remote serverto verify the absence of any undesirable activities, such as phishing.Certain users may be uncomfortable with the notion of allowing a remoteserver to see certain web pages that the user frequents. Thus, someusers may find it desirable to have the option of determining whether ornot the remote check takes place.

FIGS. 6 and 7 are flow diagrams that describe a method in accordancewith one embodiment with the aforementioned privacy concerns in mind.The method can be implemented in connection with any suitable hardware,software, firmware or combination thereof. In one embodiment, the methodis implemented in software in the form of computer-executableinstructions, such as those defining an application that executes on aclient computing device.

Step 600 detects a user-initiated activity on a computing device. In butone embodiment, and as noted above, one such activity takes place whenthe user clicks on a link associated with a web resource. Such a linkmight be present as part of a web page, an email document, or some otherdocument on which a user might be working. Other examples ofuser-initiated activities are given above.

After detecting a user-initiated activity, the web resource can bechecked locally as discussed above and as illustrated by step 602. Step604 then determines whether the web resource is identified as beingassociated with a safe site. If it is, then step 610 allows the user tocontinue with the user-initiated activity. Checking locally poses nosecurity risks because all of the information is already contained onthe user's computing device.

If however, the local check reveals that the web resource is notidentified as being associated with a safe site (e.g., not contained inthe local list of safe sites), the user can be notified as follows.

Step 606, presents a user with a notification that enables the user toopt to have a web resource checked to ascertain whether the web resourceis associated with one or more undesirable activities. This notificationeffectively alerts the user that the web resource is not on the locallist of safe sites and asks the user whether he or she would like tocheck remotely from the computing device to determine whether the webresource associated with, for example an attempted navigation, isassociated with any undesirable activities. Examples of undesirableactivities were given above.

If, at step 608, the user declines to check remotely, step 610 allowsthe user to continue with their activity. On the other hand, if the useropts to conduct the remote check, step 612 conducts the remote check bysending a request to an appropriate server or other remote device.

Step 614 determines whether the web resource is associated with anyundesirable activities. This step can be performed in any suitable way,examples of which are provided above. Step 616 provides a notificationto the user with regard to the remote check that was performed. Step 618(FIG. 7) receives this notification from the remote server and presentsthe notification to the user.

The notification can either tell the user whether or not the webresource is associated with any undesirable activities, or provideinformation that can further be used to make that decision, as describedabove.

If the web resource is not associated with any undesirable activities,the user can continue with his or her activity. On the other hand, ifthe web resource is determined to be associated with undesirableactivities, step 620 can provide the user with an option to continuewith the activity despite the association with undesirable activities.

In Operation

The above methodology can be implemented in any suitable way using anysuitable technology. As but one example of how the above-describedtechniques can be implemented from the perspective of the user,consider, FIGS. 8-10.

Specifically, if a particular user has chosen to be given the option ofdetermining whether a remote check will occur, a notification icon, suchas that shown at 800 in FIG. 8 can appear when a user-initiated activityis detected. This icon may appear in the toolbar of a web browser forthe purpose of alerting the user that web resource to which he wishes tonavigate is not on the local list of safe sites. When the user clicks onthis icon, a list box can be presented to the user. One such list isshown at 802. The list gives the user the ability or option to check thewebsite, turn on automatic checking, report the website, or changephishing filter settings.

If the user selects “check this website”, the website will be checkedremotely from the user's computing device as described above. If theuser selects “turn on automatic checking” the website will be checkedremotely from the user's computing device, and the next time that auser-initiated activity is detected and the web resource is not on thelocal list of safe sites, the remote check will automatically occurwithout notifying the user.

FIG. 9 illustrates a dialog box that is presented to a user when awebsite that the user has attempted to navigate to has been determinedto be associated with a phishing activity. There, the user is notifiedthat the website is a reported phishing website and is given the optionof either continuing to the website or of closing the web page.

FIG. 10 illustrates a dialog box that is presented to a user when awebsite that the user has attempted to navigate to is determined to notbe associated with a phishing activity. There, the user is notified thatthe website is not a suspicious or reported website and the user canclick “OK” to continue.

CONCLUSION

Various embodiments provide protection against web resources associatedwith one or more undesirable activities. In this manner, a user and/orthe user's computing device can be protected from activities that couldprove harmful.

Although the subject matter has been described in language specific tostructural features and/or methodological acts, it is to be understoodthat the subject matter defined in the appended claims is notnecessarily limited to the specific features or acts described above.Rather, the specific features and acts described above are disclosed asexample forms of implementing the claims.

1. A computer-implemented method comprising: checking locally on acomputing device to determine whether a website is identified as beingassociated with a safe site, wherein the safe site is a site that is notassociated with an undesirable activity including one or more of aphishing activity, a malware activity, or a spyware activity; and if thewebsite is not identified locally on the computing device as beingassociated with a safe site, causing a request to be transmitted forreceipt by a remote resource to determine if the website is identifiedby the remote resource as being associated with the undesirableactivity.
 2. The method as recited in claim 1, wherein the checkinglocally on the computing device to determine whether the website isidentified as being associated with a safe site is responsive to anattempted navigation to the website via the computing device.
 3. Themethod as recited in claim 1, wherein the checking locally on thecomputing device to determine whether the website is identified as beingassociated with a safe site comprises checking the website against alist of sites that are considered to be safe sites.
 4. The method asrecited in claim 1, wherein the checking locally on the computing deviceto determine whether the website is identified as being associated witha safe site occurs contemporaneously with a navigation to the websitevia the computing device.
 5. The method as recited in claim 1, furthercomprising: receiving an indication of whether or not the website isidentified by the remote resource as being associated with theundesirable activity; and causing a visual indicia of the indication tobe displayed via the computing device.
 6. The method as recited in claim1, further comprising: receiving an indication of whether or not thewebsite is identified by the remote resource as being associated withthe undesirable activity; and providing an option to continue anavigation to the website.
 7. The method as recited in claim 1, furthercomprising receiving an indication of whether or not the website isidentified by the remote resource as being associated with theundesirable activity, the indication being based on a local score fromthe computing device and reputation information from the remoteresource.
 8. The method as recited in claim 1, further comprising, ifthe website is not identified locally on the computing device as beingassociated with a safe site, navigating to the website contemporaneouslywith causing the request to be transmitted for receipt by the remoteresource.
 9. A computer-implemented method comprising: checking locallyon a device to determine whether a network resource is identified asbeing associated with a safe resource, wherein the safe resource is aresource that is not associated with an undesirable activity includingone or more of a phishing activity, a malware activity, or a spywareactivity; and if the network resource is not identified locally on thedevice as being associated with a safe resource: causing a request to betransmitted for receipt by a remote resource to determine if the networkresource is identified by the remote resource as being associated withthe undesirable activity; and receiving an indication of whether or notthe network resource is associated with the undesirable activity. 10.The method as recited in claim 9, wherein the checking locally on thedevice to determine whether the network resource is identified as beingassociated with a safe resource is responsive to an attempted navigationto the network resource via the device.
 11. The method as recited inclaim 9, wherein the network resource comprises a web site, and whereinthe checking locally on the device to determine whether the networkresource is identified as being associated with a safe resourcecomprises using a web browser to check the web site.
 12. The method asrecited in claim 9, wherein the checking locally on the device todetermine whether the network resource is identified as being associatedwith a safe resource comprises checking the network resource against alist of network resources that are considered to be safe networkresources.
 13. The method as recited in claim 12, wherein the list ofnetwork resources comprises uniform resource locators (URLs) for thenetwork resources.
 14. The method as recited in claim 9, wherein theindication of whether or not the network resource is associated with theundesirable activity is based on a reputation score for the networkresource, the reputation score being calculated based on a local scorefrom the device and reputation information from the remote resource. 15.The method as recited in claim 14, wherein the reputation scoreindicates that the network resource is associated with the undesirableactivity, the method further comprising causing to be displayed a visualindication of the reputation score.
 16. The method as recited in claim9, wherein the checking locally on the device to determine whether thenetwork resource is identified as being associated with a safe resourcecomprises calculating a reputation score for the network resource, thereputation score being calculated based on a local score from the deviceand reputation information from the remote resource.
 17. The method asrecited in claim 9, further comprising, if the network resource is notidentified locally on the device as being associated with a saferesource, navigating to the network resource contemporaneously withcausing the request to be transmitted for receipt by the remoteresource.
 18. The method as recited in claim 9, further comprisingpresenting an option to continue a navigation to the network resourceresponsive to receiving the indication of whether or not the networkresource is associated with the undesirable activity.
 19. Acomputer-implemented method comprising: calculating a local score for anetwork resource; receiving reputation information associated with thenetwork resource from a remote resource; and calculating a reputationscore for the network resource using the local score and the reputationinformation, the reputation score indicating that: the network resourceis known to be associated with one or more undesirable activities; thenetwork resource is suspected of being associated with one or moreundesirable activities; or the network resource is not known orsuspected of being associated with one or more undesirable activities.20. The method as recited in claim 19, further comprising: presentingvia a computing device a visual indication of the reputation score; andproviding an option to navigate to the network resource via thecomputing device.